search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.84k stars 1.17k forks source link

DKIM signing not working in the current master branch #151

Closed tehXor closed 7 years ago

tehXor commented 7 years ago

Without any changes to my key files or their location in the current master branch and with /data/conf/rspamd/local.d/dkim_signing.conf but without /data/conf/rspamd/local.d/dkim.conf DKIM signing isn't working. When I re-add the old dkim.conf (and keep the new dkim-signing.conf) it is working again.

I haven't looked into it a lot yet, however without dkim.conf no condition script seems to be loaded while with it there is the following log line:

#8(main) <o9hcin>; cfg; dkim_module_config: init condition script for DKIM signing

I'm not sure if it should work without the condition script due to dkim_signing.conf now?

andryyy commented 7 years ago

Hi, it is very important that you are running Rspamd >= 1.5.

tehXor commented 7 years ago

Hmm, I'm using the current mailcow/rspamd:latest and docker-compose exec rspamd-mailcow rspamadm --version says I have Rspamadm 1.5.4. I'm not sure though if this means that Rspamd itself also is > 1.5...

andryyy commented 7 years ago

I cannot reproduce it.

What is in the logs when you send out a mail? Have you changed the selector or anything like this?

Am 24.03.2017 um 15:50 schrieb Till notifications@github.com:

Hmm, I'm using the current mailcow/rspamd:latest and docker-compose exec rspamd-mailcow rspamadm --version says I have Rspamadm 1.5.4. I'm not sure though if this means that Rspamd itself also is > 1.5...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

tehXor commented 7 years ago

The logs when sending a mail only seem to differ in the lines

rspamd-mailcow_1     | 2017-03-24 16:47:56 #13(normal) <c1c0db>; lua; [string "r...]:7: set domain found in smtp from field to domain.de
rspamd-mailcow_1     | 2017-03-24 16:47:56 #13(normal) <c1c0db>; lua; [string "r...]:21: found dkim key file for domain domain.de

which are present when I (re)start rspamd with the old dkim.conf but are missing without it. I can't see any errors or things like that without the old file (but maybe I'm looking for the wrong entries). DKIM selector is the mailcow default dkim and I'm not aware of any other changes... Maybe it's a problem with the old data in /var/lib/rspamd/? But I don't really like to just flush that as I'm not exactly sure what is saved in it...

andryyy commented 7 years ago

Can you try this first? => 

docker-compose stop rspamd-mailcow
docker-compose rm rspamd-mailcow
docker rmi mailcow/rspamd
docker pull mailcow/rspamd
docker-compose up -d

Just to be sure there is no problem with the image itself. Are you fine with sending me your docker-compose rspamd-mailcow rspamadm configdump output to info@servercow.de ?

andryyy commented 7 years ago

@tehXor Can you retry with the latest image?

tehXor commented 7 years ago

Sorry for being so late! I just merged and repulled. Now DKIM signing works out of the box with only the old dkim.conf. Judging from the rspamd web GUI I'd assume we moved back one version? Let me know If I could test/do anything (i.e. should I try the new/old dkim_signing.conf with this images?).

andryyy commented 7 years ago

Yes, it was an unstable build, so this should not have been 1.5.4 anyway - sorry.

You could try to remove the local.d/dkim.conf (not that one in the image) and re-add dkim_signing.conf to local.d. That would be great! :-)

tehXor commented 7 years ago

So, when I remove the old dkim.conf and re-add dkim_signing.conf it looks like DKIM signing works for the @domain.de of the user but not for any alias. So if a user username@domain1.de sends with the alias aliasusername@domain2.de the mail doesn't get signed. Besides the missing DKIM_SIGNED symbol of the outgoing mail I cannot see any difference in the rspmad log...

andryyy commented 7 years ago

But you added the key for domain2? That's just a matter of configuration then, I think. Thank you!

Am 27.03.2017 um 14:45 schrieb Till notifications@github.com:

So, when I remove the old dkim.conf and re-add dkim_signing.conf it looks like DKIM signing works for the @domain.de of the user but not for any alias. So if a user username@domain1.de sends with the alias aliasusername@domain2.de the mail doesn't get signed. Besides the missing DKIM_SIGNED symbol of the outgoing mail I cannot see any difference in the rspmad log...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

tehXor commented 7 years ago

Yes, all DKIM keys for all domains were always present and unchanged.

andryyy commented 7 years ago

Should work with use_domain = "envelope"; - can you verify this? :-)

Edit: No, sorry, allow_username_mismatch = true; should be the way to go.

tehXor commented 7 years ago

yup, changing both or only allow_username_mismatch = true; works. I'd guess that use_domain = "envelope"; is also the better option, as there may be mailing software which is doing unexpected stuff to the header (i.e. ticketing/CRM systems which set the from to the users configured e-mail adresse no matter if it's an internal or external one) and I don't see that potential with the envelope right now. Considering this allow_hdrfrom_mismatch = false; maybe could be changed as well - or do you see security problems with it?

tehXor commented 7 years ago

I think it's safe to close this as it meanwhile should work with whatever specific setup in current versions (: